PRIVACY NOTICE

At AliveCor your privacy is important to us. Our Privacy Notice describes the information we collect, how we collect information, and the reasons we collect information. This Privacy Notice also describes the choices you have with the information we collect, including how you can manage, update, or request to delete information.

Please take a moment to review this Privacy Notice. You may scroll through this Privacy Notice or use the links below to navigate to specific sections. It is important that you understand this Privacy Notice. By using our website, mobile app, software, and/or services, you are agreeing to the terms of this Privacy Notice. If you have any questions or concerns about this Privacy Notice, you may Contact Us at any time.

For certain NHS and EEA users: Neither this Privacy Notice nor the GDPR Privacy Addendum apply to NHS-patients or other users using the Services under the direction of a healthcare provider, where in such case the healthcare provider or its employer is the Data Controller (e.g., an NHS organisation in the UK, any other government healthcare system, a public or private hospital or a physician’s office) and their privacy notice will apply, not this Privacy Notice.

Table of Contents

I. Who is AliveCor?

II. Key Terms & Definitions and Our Privacy Notice

When does our Privacy Notice apply?

When does our Privacy Notice not apply?

Our Privacy Notice and Terms of Service.

III. Personal Data

What is Personal Data?

What types of Personal Data do we collect?

How do we collect your Personal Data?

How do we use your Personal Data?

How do we share your Personal Data?

Your choices about how we share your Personal Data.

How do I access and correct my Personal Data?

IV. Who may use the Services?

V. Children's Privacy

VI. Does AliveCor respond to Do Not Track signals?

VII. Data Security

[VIII. Jurisdiction-Specific Privacy Rights](#viii jurisdiction-specific-privacy-rights)

IX. Changes to our Privacy Notice

X. Contact Us

I. Who is AliveCor?

Our mission is to save lives and transform cardiology by delivering intelligent, highly-personalized heart data to clinicians and patients anytime, anywhere.

AliveCor is not a medical group or a health care provider. AliveCor provides its users with the ability to obtain a telemedicine consultation provided by independent medical practitioners including, but not limited to, Florida Cardiac Health Medical Group, P.A. d/b/a Cardiac Health Medical Group and members of its Affiliated Covered Entity (collectively “Cardiac Health Medical Group”), an independent medical group with a network of United States based health care providers (each, a “Provider”). Cardiac Health Medical Group (or your own medical provider if you do not use a Cardiac Health Medical Group Provider) is responsible for providing you with a Notice of Privacy Practices describing its collection and use of your health information, not AliveCor.

II. Key Terms & Definitions and Our Privacy Notice

It is helpful to start by explaining some of our key terms and definitions used in this Privacy Notice.

When does our Privacy Notice apply?

This Privacy Notice describes the types of information we may collect from you when:

• You visit or use our Websites;

• You visit or use our Apps, including your use, subscription to or membership in KardiaCare, KardiaCare+ or KardiaComplete services;

• You use our Software;

• You use our Devices and connect them to a mobile device running our App; We communicate in e-mail, text message, and other electronic messages between you and us; and

• We communicate in person, such as on the phone or through a telehealth visit.

When does our Privacy Notice not apply?

This Privacy Notice does not apply to information collected by any other website operated either by us or by a third party, unless the website is listed above or links to this Privacy Notice. It also does not apply to any website that we may provide a link to or that is accessible from our Services.

Our Privacy Notice and Terms of Service.

This Privacy Notice is incorporated into our Terms of Service, which also apply when you use our Services.

III. Personal Data

What is Personal Data?

Personal data is information from and about you that may be able to personally identify you. We treat any information that may identify you as personal data. For example, your name and e-mail address are personal data.

What types of Personal Data do we collect?

We may collect and use the following personal data (hereinafter, collectively referred to as “Personal Data”):

How do we collect your Personal Data?

We collect most of this Personal Data directly from you. For example, when you set up an account through the App or sign up for Services, we may speak to you by phone, text message, and e-mail. Additionally, we will collect information from you when you visit our Website or App and fill out forms, use our Software or our Devices, or purchase or use our Services.

We may also collect Personal Data in the following ways:

• From your mobile device or smart watch.

• From third-party apps you choose to connect your mobile device to, such as Apple Health or Google Fit.

• When You Use A Premium Feature. When you choose to participate in a premium service from AliveCor (e.g., KardiaCare, KardiaCare +, and KardiaComplete), we collect additional information from you related to those services. Some premium features are paid services.

• When you make payments through the Service. We do not collect or store financial account information, though we may receive transaction identifiers and summary information that does not include credit card or bank account numbers.

• When You Use the KardiaPro Service. When healthcare professionals enroll in the KardiaPro service, we ask the healthcare professional to provide his or her National Provider Identifier (NPI) number. When a healthcare provider submits patient information through the KardiaPro service, based on permissions from both the patient and the healthcare professional, we receive patient profile information including: name, e-mail address, telephone number, birthdate, gender, medical record number, and any notes, tags, or voice memos submitted by the healthcare professional.

• When You Use The Clinical Review or Telehealth Services. If you use the clinical review or telehealth services through the App or participation in KardiaCare, KardiaCare+ or KardiaComplete services we will receive the results of your clinical analysis and deliver those results to you through the App. The clinical review and telehealth services are provided by licensed medical professionals from the Affiliated Covered Entities.

• When You Contact Us. When you contact AliveCor directly, such as when you contact our Customer Support team, we will receive the contents of your message or any attachments you may send to us, as well as any additional information you choose to provide.

We will also collect information automatically as you navigate through our Website and App. We use the following technologies to automatically collect data:

• Cookies. We and our service providers may use cookies, web beacons, and other technologies to receive and store certain types of information whenever you interact with our Services through your computer or mobile device. A “cookie” is a small file or piece of data sent from a website and stored on the hard drive of your computer or mobile device. Some of the cookies we use are “session” cookies, meaning that they are automatically deleted from your hard drive after you close your browser at the end of your session. Session cookies are used to optimize performance of the Website and to limit the amount of redundant data that is downloaded during a single session. We also may use “persistent” cookies, which remain on your computer or device unless deleted by you (or by your browser settings). We may use persistent cookies for various purposes, such as statistical analysis of performance to ensure the ongoing quality of our services. We and third parties may use session and persistent cookies for analytics and advertising purposes, as described herein. On your computer, you may refuse to accept browser cookies by activating the appropriate setting on your browser, and you may have similar capabilities on your mobile device in the preferences for your operating system or browser. However, if you select this setting you may be unable to access or use certain parts of our Services. Unless you have adjusted your browser or operating system setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our Website or use our App.

• Google Analytics. We use Google Analytics, a web analytics service provided by Google, Inc. (“Google”) to collect certain information relating to your use of our Website. Google Analytics uses cookies, to help our Website analyze how users use the site. You can find out more about how Google uses data when you visit our Website by visiting “How Google uses data when you use our partners’ sites or apps”, (located at www.google.com/policies/privacy/partners/). For more information, please visit Google and pages that describe Google Analytics, such as www.google.com/analytics/learn/privacy.html.

• Mixpanel. Mixpanel is provided by Mixpanel Inc. (“Mixpanel”). You can prevent Mixpanel from using your information for analytics purposes by opting-out. To opt-out of the Mixpanel service please visit Mixpanel's site. For more information on what type of information Mixpanel collects, please visit Mixpanel's terms of use.

How do we use your Personal Data?

We may use your Personal Data for the following purposes:

• Operate, maintain, supervise, administer, and enhance our Website, our App, and our Software, including monitoring and analyzing the effectiveness of content of the Services, aggregate site usage data, and other usage of the Services such as assisting you in completing the registration process.

• Provide our products and services to you, in a custom and user-friendly way.

• Provide you with information, products, or services that you request from us or that may be of interest to you.

• Promote and market our Services to you. For example, we may use your Personal Data, such as your e-mail address, to send you news and newsletters, special offers, and promotions, or to otherwise contact you about products or information we think may interest you. We also may use the information that we learn about you to assist us in advertising our services on third party websites. You can opt-out of receiving these e-mails at any time as described below.

• To provide you notices or about your account.

• Contact you in response to a request.

• To notify you about changes to our Services or any products or services we offer or provide through them.

• Fulfill any other purpose for which you provide consent.

• To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection.

• Anonymize and aggregate information for analytics and reporting.

• To respond to law enforcement requests, court orders, and subpoenas and to carry out our legal and contractual obligations.

• Authenticate use, detect fraudulent use, and otherwise maintain the security of our Website, our App, our Software, and the safety of others.

• To administer surveys and questionnaires.

• To provide you information about goods and services that may be of interest to you, including through newsletters.

• Any other purpose with your consent.

How do we share your Personal Data?

We do not share, sell, or otherwise disclose your Personal Data for purposes other than those outlined in this Privacy Notice. However, we may disclose Personal Data that we collect or you provide as described in this Privacy Notice for the following reasonsPersonal DataPersonal Data:

• Our business purposes. We may share your Personal Data with our affiliates, vendors, service providers, and business partners, including our data hosting and data storage partners, analytics and advertising providers, technology services and support, and data security advisors. We may also share your Personal Data with professional advisors, such as auditors, law firms, and accounting firms.

• Your healthcare providers or family. With your consent, we may share your information, including information collected from your use of our Devices, with your health care providers and/or family members (e.g., immediate family or friends) that you designate to receive your information.

• Other health-focused mobile apps. With your consent, we may share your profile information and data collected from your connected devices with other health-focused mobile applications installed on your mobile device to help you track your health and wellness information. If you share your information with these apps, your Personal Data, including your health information, will be used in accordance with privacy policies for those separate apps, not this Privacy Notice.

• With your consent. We may share your Personal Data if you request or direct us to do so.

• Compliance with law. We may share your Personal Data to comply with applicable law or any obligations thereunder, including cooperation with law enforcement, judicial orders, and regulatory inquiries.

• Business Transfer. We may share your Personal Data to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of a bankruptcy, liquidation, or similar proceeding, in which Personal Data held by us about our users are among the assets transferred.

• To enforce our rights. We may share your Personal Data to enforce any applicable terms and conditions and Terms of Use, and to ensure the safety and security of our Services and our users.

• De-identified information. We may also disclose de-identified information (cannot be reasonably used to identify any individual) with third parties for marketing, advertising, research, or similar purposes. For example, we may share information such as your gender, height, weight, information about medications you have provided, and data from your connected devices, but we will not share your name or other information that could identify you.

• To market our products and services. We may share your Personal Data with affiliates and third parties to market our products and services.

• To market third party products and services. We may share your Personal Data with affiliates and third parties to market their products or services to you if you have not opted out of these disclosures. For more information on opting out, see Your Choices about how we share your Personal Data.

• Third Party Analytics. We use Google Analytics and Mixpanel to understand and evaluate how visitors interact with our Services. These tools help us improve our Services, performance, and your experience. Users may opt-out of Mixpanel's analytics tracking by visiting https://mixpanel.com/optout. If you choose to use the Mixpanel opt-out, you will need to access the opt-out on each device you use.

Your choices about how we share your Personal Data.

This section of our Privacy Notice provides details and explains how to exercise your choices. We offer you choices on how you can opt out of our use of tracking technology, disclosure of your Personal Data for our advertising to you, and other targeted advertising. We do not control the collection and use of your information collected by third parties. These third parties may aggregate the information they collect with information from their other customers for their own purposes. You can opt out of third parties collecting your Personal Data for targeted advertising purposes in the United States by visiting the National Advertising Initiative's (NAI) opt-out page and the Digital Advertising Alliance's (DAA) opt-out page. Each type of web browser provides ways to restrict and delete cookies. Browser manufacturers provide resources to help you with managing cookies. Please see below for more information.

• Google Chrome

• Internet Explorer

• Mozilla Firefox

• Safari (Desktop)

• Safari (Mobile)

• Android Browser

• Opera

• Opera Mobile

For other browsers, please consult the documentation that your browser manufacturer provides.

If you do not wish to have your e-mail address used by AliveCor to promote our own products and services, you can opt-out at any time by clicking the unsubscribe link at the bottom of any e-mail or other marketing communications you receive from us or logging onto your Account Preferences page. This opt out does not apply to information provided to AliveCor as a result of a product purchase, or your use of our Services. You may have other options with respect to marketing and communication preferences through our Services.

You may also see certain ads on other websites because we participate in advertising networks. Ad networks allow us to target our messaging to users through demographic, interest-based, and contextual means. These networks track your online activities over time by collecting information through automated means, including through the use of cookies, web server logs, and web beacons. The networks use this information to show you advertisements that may be tailored to your individual interests.

How do I access, correct, or delete my Personal Data?

You can review and change your Personal Data by logging into our Services and visiting either the “About You” or “Health Details” sections of our Services. You may also notify us through the Contact Information below of any changes or errors in any Personal Data we have about you to ensure that it is complete, accurate, and as current as possible or to delete your account. We cannot delete your personal data except by also deleting your account with us. We may also not be able to accommodate your request if we believe it would violate any law or legal requirement or cause the information to be incorrect.

The jurisdiction in which you are a resident or are located may provide you with additional rights and choices regarding your Personal Data. Please see Section VIII, Jurisdiction-Specific Privacy Rights, below, for more Information.

IV. Who may use the Services?

This Privacy Notice applies to all personal uses of our Services globally and you should not use the Services if you do not agree to the Privacy Notice. Privacy NoticePrivacy NoticePrivacy NoticeIf you are located in the United States or a country outside the EEA or Brazil, your information is stored in the United States, and by using or downloading the Service you agree that your Personal Data, including any information about your health that you provide directly to us or that we collect through your use of the Service, may be transferred to and stored in the United States. If you are a Brazilian user, we store your information in the European Union where all such information is processed in compliance with GDPR.

V. Children's Privacy

Our Services are not intended for children under 18 years of age. We do not knowingly collect or sell Personal Data from children under the age of 18. If you are under the age of 18, do not use or provide any information on or in these Services or through any of its features. If we learn we have collected or received Personal Data from a child under the age of 18 without verification of parental consent, we will delete it. If you are the parent or guardian of a child under 18 years of age whom you believe might have provided use with their Personal Data, you may Contact Us to request the Personal Data be deleted.

VI. Does AliveCor respond to Do Not Track signals?

Some web browsers have a “Do Not Track” feature. This feature lets you tell websites you visit that you do not want to have your online activity tracked. These features are not yet uniform across browsers. Our Website and App are not currently set up to respond to those signals.

VII. Data Security

We have taken steps and implemented administrative, technical, and physical safeguards designed to protect against the risk of accidental, intentional, unlawful, or unauthorized access, alteration, destruction, disclosure, or use. The Internet is not 100% secure and we cannot guarantee the security of information transmitted through the Internet. Where you have been given or you have chosen a password, it is your responsibility to keep this password confidential. The sharing and disclosing of information via the Internet is not completely secure. We strive to use best practices and industry standard security measures and tools (e.g., SOC2 and ISO 27001 certifications) to protect your data. However, we cannot guarantee the security of Personal Data transmitted to, on, or through our Services. Any transmission of Personal Data is at your own risk. We are not responsible for the circumvention of any privacy settings or security measures contained on our Website, our App, our Software, our Device, in your operating system, or mobile device. For more information, see our Security page.

VIII. Jurisdiction-Specific Privacy Rights

The law in some jurisdictions may provide you with additional rights regarding our use of Personal Data. To learn more about any additional rights that may be applicable to you as a resident of one of these jurisdictions, please see the privacy addendum for your jurisdiction that is attached to this Privacy Notice.

Your GDPR Privacy Rights

If you are a resident of the European Economic Area you have the additional rights described in our GDPR Privacy Addendum.

Your California Privacy Rights

If you are a resident of California, you have the additional rights described in the California Privacy Addendum.

Your Colorado Privacy Rights

If you are a resident of Colorado, you have the additional rights described in the Colorado Privacy Addendum.

Your Nevada Privacy Rights

If you are a resident of Nevada, you have the additional rights described in the Nevada Privacy Addendum.

Your Utah Privacy Rights

If you are a resident of Utah, you have the additional rights described in the Utah Privacy Addendum.

Your Virginia Privacy Rights

If you are a resident of Virginia, you have the additional rights described in the Virginia Privacy Addendum.

IX. Changes to our Privacy Notice

We may update our Privacy Notice periodically to reflect changes in our privacy practices, laws, and best practices. We will post any changes we make to our Privacy Notice on this page with a notice that the Privacy Notice has been updated on our Website's homepage or our App's home screen. If we make material changes to our practices with regards to the Personal Data we collect from you, we will notify you by e-mail to the e-mail address specified in your account and/or through a notice on the Website's home page or the App's home screen. The date this Privacy Notice was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date active and deliverable e-mail address for you, and for periodically accessing the App or visiting our Website and reviewing this Privacy Notice to check for any changes.

X. Contact Us

If you have any questions, concerns, complaints or suggestions regarding our Privacy Notice or otherwise need to contact us, you may contact us at the contact information below or through the “Contact Us” page on or in our Services.

GDPR Privacy Addendum

Last modified: [02/13/2023]

Neither this Privacy Notice nor this GDPR Privacy Addendum apply to NHS-patients or other users using the Services under the direction of a healthcare provider, where in such case the healthcare provider’s or its employer’s (e.g., NHS in the UK, any other government healthcare system, a public or private hospital or a physician’s office) privacy notice will apply, not this Privacy Notice.

I. Introduction

This GDPR Privacy Addendum (the “GDPR Privacy Addendum”) supplements the information contained in our Privacy Notice (our “Privacy Notice”) and applies solely to the users of our mobile apps (e.g., Kardia) for collecting and analyzing ECG data that may also include other related functionalities, software, and/or services who are located in the European Economic Area, the United Kingdom, and Switzerland. We adopt this GDPR Privacy Addendum to comply with the European Union’s and the UK’s General Data Protection Regulation, and any laws implementing the foregoing by any member states of the European Economic Area, the United Kingdom (including the UK Data Protection Act and the UK GDPR), and/or Switzerland (collectively, the “GDPR”). Unless otherwise defined in this GDPR Privacy Addendum, any terms defined in the GDPR or our Privacy Notice have the same meaning when used in this GDPR Privacy Addendum. When this GDPR Privacy Addendum is applicable to you, it takes precedence over anything contradictory in our Privacy Notice.

II. Data Controller, Data Protection Officer, and Representative

For those for whom the Privacy Notice and this Addendum do apply, AliveCor is the Data Controller of the Personal Data you provide on the Services. If you are an EEA or a UK user, your Personal Data you provide on the Service is stored within the EEA.

AliveCor has appointed a Data Protection Officer (Bill Jacobs) in compliance with the GDPR. At this time, AliveCor is not required to appoint a Data Protection Officer or representative in the United Kingdom, and has elected not to do so. AliveCor and its subsidiary, AliveCor, LTD, and its Data Protection Officer may be contacted in any manner set forth below in Contact Information.

III. Information We Collect About You and How We Collect It

The Personal Data we collect and the ways in which we collect it are described in our Privacy Notice.

The Personal Data we collect from you is required to enter into an agreement for services with AliveCor, for AliveCor to provide the product and services under that agreement, and to provide you with our products and services. If you refuse to provide such Personal Data or withdraw your consent to our processing of Personal Data (when appropriate), then in some cases we may not be able to enter into the contract or fulfill our obligations to you under it.

IV. Lawful Basis for Processing Your Personal Data

The processing of your Personal Data is lawful only if it is permitted under the GDPR.

Under Art 6(1)[a] and Art 9 (2)[a] of applicable GDPR regulations (UK or EU), we rely on your consent as a lawful basis to process your Personal Data for the following purposes:

• Initial collection of Personal Data through the Services; and

• Providing you with marketing or promotional communications but only when You have ticked a box to positively opt-in to receiving such communications; to be clear this DOES NOT constitute Your consent. You may opt-out of such communications at any time by clicking the “unsubscribe” link found within the AliveCor e-mail updates and changing your contact preferences.

By using our Services, you consent to our collection, use, and sharing of your Personal Data as described in our Privacy Notice and this GDPR Privacy Addendum. If you do not consent to the terms of our Privacy Notice and this GDPR Privacy Addendum, please do not use our Services. You may terminate Your participation by sending directions to any of the contacts set forth below in Contact Information.

We also process Personal Data based on our contractual obligations to provide you the Services as described in How do we share your Personal Data?, including:

• To enable the Service to function as expected.

• To communicate with you in response to customer services inquiries, to deliver non-promotional, service-related e-mails, or to administer surveys and questionnaires. Please note, initial contact with AliveCor customer service is provided by a third party contractor (“Customer Service Contractor”). The Customer Service Contractor does not have access to Your account or any information in Your account. Information You provide to our Customer Service Agent may be transmitted to the US or the Philippines to permit the Customer Service Contractor or AliveCor to address the issue You have presented. The Customer Service Contractor has all appropriate standard contractual clauses (SCCs) in place to make this transmission fully compliant with GDPR as interpreted under Schrems II.

• To tailor your experience based on your general region. For example, we process clinician review requests from EEA/UK-based users through an EEA-based clinician review partner.

AliveCor may also process Personal Data as Required by Law or to protect your vital interests or those of another person. Accordingly, we may also process your Personal Data when we are required or permitted to by law; to comply with government inspections, audits, and other valid requests from government or other public authorities; to respond to legal process such as subpoenas; or as necessary for us to protect our interests or otherwise pursue our legal rights and remedies (for instance, when necessary to prevent or detect fraud, attacks against our network, or other criminal and tortious activities), defend litigation, and manage complaints or claims. We will process your Personal Data as necessary for our legitimate interests. Our legitimate interests are balanced against your rights and freedoms and we do not process your Personal Data if your rights and freedoms outweigh our legitimate interests. Our legitimate interests are to: facilitate communication between AliveCor and you; detect and correct bugs and to improve our Services; safeguard our IT infrastructure and intellectual property; detect and prevent fraud and other crime; develop our product and services.

V. Automated Decision Making

Our processing of Personal Data may include automated decision making, including profiling, which may produce a legal effect concerning you or similarly significantly affect you. The algorithms used for our automated decision making process classifies and categorizes your health (i.e., the instant determinations provided (e.g., normal sinus rhythm, bradycardia, tachycardia, atrial fibrillation or unclassified)), based on data collected by the Devices and Personal Data collected by the Services.

VI. How We Use Your Information

We use your Personal Data as described in our Privacy Notice.

VII. Disclosure of Your Information

We do not share or otherwise disclose your Personal Data for purposes other than to the entities and for the purposes described in our Privacy Notice.

VIII. Your Rights Regarding Your Information and Accessing and Correcting Your Information

The GDPR (UK and EU) provides you with certain rights with regards to our processing of your Personal Data. These rights replace the similar rights provided in our Privacy Notice or are supplemental to such rights.

• Access and Update. You can review and change your Personal Data by notifying us through the Contact Information below of any changes or errors in any Personal Data we have about you to ensure that it is complete, accurate, and as current as possible. We may not be able to accommodate your request if we believe it would violate any law or legal requirement or cause the information to be incorrect.

• Restrictions. You have the right to restrict our processing of your Personal Data under certain circumstances. In particular, you can request we restrict our use of it if you contest its accuracy, if the processing of your Personal Data is determined to be unlawful, or if we no longer need your Personal Data for processing but we have retained it as permitted by law.

• Portability. To the extent the Personal Data you provide AliveCor is processed based on your consent or that we process it through automated means, you have the right to request that we provide you a copy of, or access to, all or part of such Personal Data in structured, commonly used and machine-readable format. You also have the right to request that we transmit this Personal Data to another controller, when technically feasible.

• Withdrawal of Consent. To the extent that our processing of your Personal Data is based on your consent, you may withdraw your consent at any time by closing your account. Withdrawing your consent will not, however, affect the lawfulness of the processing based on your consent before its withdrawal, and will not affect the lawfulness of our continued processing that is based on any other lawful basis for processing your Personal Data.. You may terminate Your participation by sending directions to any of the contacts set forth below in Contact Information.

• Right to be Forgotten. You have the right to request that we delete all of your Personal Data. We cannot delete your Personal Data except by also deleting your user account, and we will only delete your account when we no longer have a lawful basis for processing your Personal Data or after a final determination that your Personal Data was unlawfully processed. We may not accommodate a request to erase information if we believe the deletion would violate any law or legal requirement or cause the information to be incorrect. In all other cases, we will retain your Personal Data as set forth in this policy. In addition, we cannot completely delete your Personal Data as some data may rest in previous backups. These will be retained for the periods set forth in our disaster recovery policies.

• Complaints. You have the right to lodge a complaint with the applicable supervisory authority in the country you live in, the country you work in, or the country where you believe your rights under applicable data protection laws have been violated. However, before doing so, we request that you contact us directly in order to give us an opportunity to work directly with you to resolve any concerns about your privacy.

• How You May Exercise Your Rights. You may exercise any of the above rights by contacting us through any of the methods listed under Contact Us below. If you contact us to exercise any of the foregoing rights, we may ask you for additional information to verify your identity. We reserve the right to limit or deny your request if you have failed to provide sufficient information to verify your identity or to satisfy our legal and business requirements. Please note that if you make unfounded, repetitive, or excessive requests (as determined in our reasonable discretion) to access your Personal Data, you may be charged a fee subject to a maximum set by applicable law.

IX. Data Retention Periods

AliveCor will retain your Personal Data for the entire time that you keep your account open or until you request us to delete your Personal Data (subject to above). After this period, we may retain your Personal Data for [x] years, or for any of the reasons listed below, whichever is longer:

• for as long as necessary to comply with any legal requirement;

• on our backup and disaster recovery systems in accordance with our backup and disaster recovery policies and procedures;

• for as long as necessary to protect our legal interests or otherwise pursue our legal rights and remedies; and

• for data that has been aggregated or otherwise rendered anonymous in such a manner that you are no longer identifiable, indefinitely.

X. Changes to This GDPR Privacy Addendum

We may change this GDPR Privacy Addendum at any time. We will post any changes we make to this GDPR Privacy Addendum on this page with a notice that this GDPR Privacy Addendum has been updated on our Website's homepage or our App's home screen.  If we make material changes to our practices with regards to the Personal Data we collect from you, we will notify you by e-mail to the e-mail address specified in your account and/or through a notice on the App's home screen. The date this GDPR Privacy Addendum was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date active and deliverable e-mail address for you, and for periodically accessing the App or reviewing this GDPR Privacy Addendum to check for any changes.

XI. Contact Information

If you have any questions, concerns, complaints, or suggestions regarding our Privacy Notice or this GDPR Privacy Addendum, have any requests related to your Personal Data described in the Privacy Notice or this GDPR Privacy Addendum, or otherwise need to contact us, you may contact us at the contact information below or through the “Contact Us” page on or in our App and/or Software.

To Contact Our Representative in the EU

AliveCor, LTD
Herschel House
58 Herschel Street
Slough SL1 1PG
E-mail: Privacy@AliveCor.com

To Contact Our Data Protection Officer

Attn: Bill Jacobs
189 N. Bernardo Ave. Ste. 100
Mountain View, CA
94043
E-mail: privacy@alivecor.com